b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n          OFFICE OF THE SECRETARY\n\nInformation Security in Information Technology\n               Service Contracts Is Improving,\n             But Additional Efforts Are Needed\n\n  Final Inspection Report No. OSE-16513/September 2004\n\n\n\n\n                           PUBLIC\n                           RELEASE\n\n\n\n                            Office of Systems Evaluation\n\n\x0c                                            --   -- - --   - -m   -- -- - -   -   - - --   -   -\xc2\xad\n\n\n\n\n\n                                                           r{(~\n\n                                                           *                           *\n\n                                                                                                     UNITED STATES DEPARlMENT\n                                                                                                     The Inspector General\n                                                                                                                                         OF COMMERCI\n                                                           \'i\n\n\n                                                            ~~cf \n                I                  Washington, D.C. 20230\n\n\n\n                                                                                                           SEP 2 9 2004\n\nMEMORANDUM \'FOR:                       Otto Wolff\n                                     - Chief Financial Officer and\n\n                                         Assistant Secretary for Administration\n\n                                      Thomas N. Pyke, Jr.\n                                      Chief Information Officer\n\n\nFROM:\n                                                                                                           ,              .\nSUBJECT:\n                                     Is Improving, ut A itiona! Efforts Are Needed\n                                     Final Inspecti n   ort-No.OSE-16513\n\n\nIn September 2003, we reported the results of our independent evaluation of the Department of\nCommerce\'s information security program and practices for unclassified systems, as required by\nthe Federal Information Secmity Management Act (FISMA).l As part of our evaluation, and in\naccordance with guidance provided by the Office of Management and Budget (OMB),z we\nassessed the Department\'s progress in ensuring that information security is being adequately\naddressed in information teclmology (IT) service contracts in light of our May 2002 report on the\nweaknesses we identified in a sample of 40 such contracts.3\n\nAs you will recall, we found that most of the 40 contracts had either insufficient security\nprovisions or none at all. We concluded that federal and departmental policy and guidance for\nincorporating such provisions were lacking and made recommendations for addressing this area.4\nThe following table provides a summary of the recommendations presented in the May 2002\nreport and the status of the actions taken to address them as reported by the Department.\n\n\n\n\n1 U.S. Department of Commerce Office of Inspector General, September 2003. Independent Evaluation of the\nDepartment of Commerce\'s Information Security Program Under the Federal Information Security Management\nAct, OSE-16146. Washington, D.C.: Department of Commerce DIG.-                        \'\n2 Memorandum for Heads Of Executive Departments and Agencies, Joshua B. Bolten, Director, Office of\nManagement and Budget, "Reporting Instructions for the Federal Information Security Management Act and\nUpdated Guidance on Quarterly IT Security," August 6, 2003.                        \xc2\xad\n3 U.S. Department of Commerce Office of Inspector General, May 2002~ Information Security Requirements Need\nto Be Included in the Department\'s Information TechnologyService Contracts, OSE-14788. Washington, D.C.:\n\n\n4   A summary of our recommendations and their status is attached..\nDeparlmeDtofCommerceOIG\n                       -\n\n                                                 -\'\n                                                                                                                    ,\n                                                                                                                              ~~\n                                                                                                                              ~\n                                                                                                                              ~~.I\n                                                                                                                                  -- \'\n\n\n\n\n                                                                                                                                         ~OFCOMM\xc2\xa3llO>\n                                                                                                                                                        ~\n\x0cu.s. Department of Commerce                                                       Final Inspection Report OSE-16513\nO(fice Of Inspector General                                                                          September 2004\n\nSUMMARY         OF OIG RECOMMENDATIONS               AND STATUS OF DEPARTMENTAL                              ACTIONS\n\n\n           RECOMMENDATION                                               ACTIONS TAKEN\n\n                                                                 (As Reported By The Department)\n\n\n 1. The Procurement Executive, with the Chief\n     a.\t Procurement memorandum (PM) issued on 09/13/00\n Information Officer (CIO), should develop\n            reemphasized importance of security. PM provided\n and disseminate a comprehensive policy for\n           list of resources to assist contract staff.\n acquisitions ofIT systems and services.\n          b.\t CIO issued IT Security Program and Policy. This\n                                                       policy was added to the resource list identified in the\n                                                       PM.\n\n2. The Procurement Executive, with the CIO\n        a.\t In 06/03, draft provisions were provided to the\nand advice of the Office of General Counsel\n           Commerce acquisition community, OCIO, OGC, and\n(OGe), should establish standard contract              OIG for comment, and a meeting was held to resolve\nprovisions for safeguarding the security of            issues.\nunclassified systems and information and           b.\t Clauses were issued in final 11/17/03. Clauses\ninclude such provisions in solicitations and\n          became mandatory for new solicitations and\ncontracts for IT services.\n                            contracts for services on 01/01/04. Existing service\n                                                       contracts were to be modified as appropriate by\n                                                       03/01/04.\n\n3. The Procurement Executive, with program\n        a.\t     The Office of Acquisition Management (OAM)\nofficials and OGC advice, should instruct all\n            completed an assessment, and a list of contract\nheads of contracting offices to review current\n           actions needing modification to incorporate new\nsolicitations and contract actions to determine\n          security causes was generated for each contracting\nwhether modification is needed to include\n                office within the Department. This list was\nsecurity provisions.\n                                     forwarded for action by the contracting offices at the\n                                                          end of 01/04.\n\n4. The Procurement Executive, with the CIO\n        a.\t All Department and contract employees completed\nand program officials, should ensure that\n             basic security awareness training.\ncontracting officers, contracting officer\'s\n       b.\t Content of job-specific security training module for\ntechnical representatives (COTRs), and other\n          acquisition staff (including COTR) finalized in\n                                                                                                -\nprocurement personnel have job-specific\n               08/03. Implementation is pending.\ninformation security training.\n\n\n5. The Procurement Executive, with the CIO\n         a.\t       Procurement memorandum issued on 09/13/00\n\nand program officials, should ensure that\n                    reemphasized the importance of security. PM\n\ncontracting officers, IT staff, and program\n                  provided list of resources to assist contract staff,\nofficials are aware of and use NIST Special\n                  which includes NIST Special Publication 800-4.\nPublication 800-4, "Computer Security\n\nConsiderations in Federal Procurements"\n\n(Note: As of October 2003, NIST Special\n\nPublication 800-64 ,"Security Considerations\n\nin the Information System Development Life\n\nCycle, " has superceded NIST Special\n\nPublication 800-4)\n\n\n\n\n\n                                                         2\n\n\x0cu.s. Department of Commerce                                                      Final Inspection Report OSE-16513\nOffice Of Inspector General                                                                         SeDtember 2004\n\n\nTo assess the Department\'s progress in fiscal year 2003, we reviewed its new security policy and\na sample ofIT service contract actions issued as of October 1, 2002. The findings from this\nreview were summarized in our September 2003 FISMA report. We found that the Department\'s\nnewly issued information security policy contains appropriate requirements for contractors and\nother government agencies that support Commerce. The Department also drafted standard\ncontract provisions for safeguarding the security of sensitive but unclassified systems and\ninformation, which require, among other things, a certification and accreditation package.5,6 for\ncontracted IT resources/services that involve connection to Commerce networks or storage of\nCommerce data on contractor-owned systems.7 However, while most of the contract actions we\nreviewed contained some security coverage, adequate provisions for controlling access to\ndepartmental systems and networks were still missing. We also found little coordination among\nthe contracting, technical, and security staff responsible for developing contract-specific security\nrequirements and minimal oversight of individual contractor compliance with security\nrequirements.\n\nAlthough our findings were presented in our September 2003 FISMA report, we did not make\nrecommendations. This memorandum report provides additional discussion of these findings as\nwell as recommendations to further ensure that information and information systems are\nadequately secure when contractor-provided services are used.\n\nDiscussion of Department\'s Response to the Draft Report\n\nIn a July 12,2004 memorandum, the Chief Financial Officer and Assistant Secretary for\nAdministration agreed with our three recommendations and described corrective actions that are\nplanned or under way. His subsequent September 28,2004, memorandum provided additional\ninformation on the corrective actions. We concur with the actions described, which are\nsummarized below. The complete response is included as an attachment to this report.\n\nIn response to our first recommendation to review a sample of current IT service contracts to\ndetermine whether they have been modified where necessary to incorporate appropriate security\nprovisions, the response states that the Procurement Executive will ask each Department\ncontracting office to detail the status of efforts to incorporate security provisions into current\ncontracts and require offices that have not completed the effort to set milestones for doing so.\nThe response also states that the Procurement Executive\'s staff is currently working with the\nDepartment\'s CIO Office to incorporate a review of service contracts in the FY 2004 IT security\ncompliance review program. It indicates that a random sample of contracts will be reviewed to\ndetermine whether or not contracting offices have modified applicable contracts to include the\nmandatory IT security contract clauses.\n\n\n5Certification is the formal testing of the security safeguards implemented in a computer system to determine\nwhether they meet applicable requirements and specifications. Accreditation is the formal authorization by\nmanagement for system operation, including an explicit acceptance of residual risk.\n6Documentation required in the certification and accreditation package includes a system security plan, other system\ninformation (e.g., risk assessment, contingency plans, information on security training, security roles and\nresponsibilities, and system documentation), and certification documentation (i.e., test plan and test results) and the\ncertifier\'s recommendation\n7 At the time of our fiscal year 2003 FISMA report, the contract provision was under departmental review. It was\nfinalized in November 2003.\n\n\n\n                                                           3\n\x0cu.s. Department of Commerce                                        Final Inspection Report OS\xc2\xa3-16513\nOffice Of Insoector General                                                           September 2004\n\n\n\nOur second recommendation is to implement procedures to strengthen communication between\nthe contracting officer, COTRs, and information security staff. The response states that the\nProcurement Executive will work with the CIa\'s office and program officials to strengthen\ncommunication and put controls in place that use existing contract management, review, and\ncompliance processes to ensure that IT security is considered during the pre-solicitation, award,\nand post award phases of the acquisition process. It also indicates that the Procurement\nExecutive\'s staff will issue guidance on IT security contract requirements throughout the various\nphases of the acquisition process and incorporate training on these requirements into the\nCO/COTR IT security training module that is currently being developed.\n\nOur third recommendation is to establish procedures and accountability for reviews of contractor\ncompliance with security procedures and controls. The response states that the Procurement\nExecutive, CIa, and OGC staffs will work together to ensure adequate reviews are incorporated\ninto existing contract review processes and coordinated among the CO, COTR, system owner,\nand information security staff; and that the Procurement Executive staff will issue guidance\nregarding these reviews.\n\nWe appreciate the cooperation and courtesies extended to us by the Office of Acquisition\nManagement, the Office of the ChiefInformation Officer, and the contracting offices at the\nbureaus we reviewed.\n\nBACKGROUND\n\nThe Department continues to rely heavily on contractors to provide IT services. In fiscal year\n2003, $350 million of the nearly $535 million Commerce spent on IT contracts went to\ncontractors for services, such as software development, installation, configuration, testing,\noperations, and maintenance, as well as website development and management.\n\nFederal regulations and departmental guidance require that individuals, including contractors,\nwho have access to information systems follow established security rules and be held\naccountable for safeguarding systems and data. To hold contractors accountable, contract\nsolicitations and award documents should include appropriate security provisions. In addition,\nappropriate contract administration procedures such as performance measurement and on site\ninspections should be in place to ensure that contractors are using appropriate methods for\nsafeguarding the Department\'s sensitive information systems and data. Compliance reviews\nshould be consistent with agency policies for testing and evaluating information security policies\nand controls.\n\n\n\n\n                                                 4\n\n\x0cU.S. Department of Commerce                                                  Final Inspection Report OSE-16513\nOffice Of Inspector General                                                                     September 2004\n\n\n\nOBJECTIVES,         SCOPE, AND METHODOLOGY\n\nOur purpose was to expand upon our 2003 FISMA findings and provide additional\nrecommendations based on our follow- up review of the Department\'s progress in implementing\nthe recommendations in our May 2002 report. As part of this process, we reviewed current\ndepartmental and acquisition policies, and examined a sample of 24 contract actions awarded\nfrom October 1, 2002, through July 31, 2003, by a cross-section of departmental units. 8 We\nreviewed contract documentation to determine whether adequate security provisions were\nincluded and if so, whether contractors were complying with the requirements. Our scope was\nlimited to contracts dealing with sensitive but unclassified systems and information.\n\nThe Department Needs to Ensure that IT Service Contracts                   Contain the New Security\nClauses and that Appropriate Contract Oversight Occurs\n\nThe Department has made significant progress in implementing our previous recommendations.\nA new information security program policy was issued in January 2003, which states that IT\nsecurity officers, systems owners,9 and COTRs must work together to ensure that information\nsecurity is adequately addressed throughout the acquisition process. It also states that contracts\nmust include language requiring contractors and subcontractors to give the Department access to\nfacilities, operations, documentation, databases, and personnel used in performing the contract,\nfor the purpose of ensuring contractor compliance in safeguarding government information and\nsystems. In an April 2003 policy memorandum, the Office of Acquisition Management (OAM)\nreemphasized the importance of considering IT security in acquisitions, and recommended the\nnew information security policy be used as an additional resource in addressing IT security\nissues. According to the Department, all employees have completed security awareness training,\nand the content of an IT security training module for the acquisition community (including\nCOTRs) has been approved, and implementation is pending.\n\nAdditionally, OAM, with the assistance of the Department CIO\'s office and program officials,\ndrafted two comprehensive standard contract clauses for safeguarding unclassified systems and\ninformation. These are to be included in all solicitations and contracts for services that involve\nIT or require contractor access to information systems and/or data. The first-Commerce\nAcquisition Regulation (CAR) 1352.239-73, Security Requirement for Information Technology\nServices-requires    contractors (and subcontractors) and their employees to adhere to specific\ninformation security policy, and holds them to the standards of accountability for sensitive\nfederal information systems and data that apply to federal employees. When contractor-owned\nsystems are to be interconnected with a departmental system or process and/or store government\ndata, the clause requires the contractor to provide, implement, and maintain an IT security plan,\nand submit a system certification and accreditation package. The second clause-CAR\n1352.239-74, Security Processing Requirements for Contractors/Subcontractors Personnel for\nAccessing DOC Information Technology Systems-requires any contractor personnel needing\n\n6 The Department\'s Office of the Secretary, the National Oceanic and Atmospheric Administration, the National\nInstitute of Standards and Technology, the Bureau of the Census, and the U.S. Patent and Trademark Office\n7 The Department\'s information security policy defines a system owner as a project manager with day-to-day\nmanagement and operational control over the system and direct oversight of the system/network administrators and\noperations staff.\n\n\n\n                                                        5\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-16513\nOffice Of Inspector General                                                            September 2004\n\naccess to departmental systems (1) be appropriately screened according to the risk level of the\nwork being performed, and (2) complete security awareness training. This clause also requires\ninclusion of CAR 1352.209-72, Restrictions Against Disclosures, an existing clause that requires\ncontractors to agree to keep government furnished information in the strictest confidence and to\nrestrict access to such information on a need-to-know basis. The two new clauses were finalized\nin November 2003 and became mandatory for all new solicitations and contracts for services on\nJanuary 1, 2004. Existing contracts were to be modified to include the clauses, as appropriate,\nby March 1,2004.\n\nReview of Contracts    Needed to Ensure Appropriate      Inclusion of New Clauses\n\nThough the standard clauses had not been finalized at the time of our FY 2003 FISMA review,\nthe Department\'s information security policy and acquisition guidance emphasized the need for\nIT security provisions in contracts. Most contract actions we assessed for the FY 2003 review\ncontained at least minimal provisions, primarily related to personnel security, i.e., requirements\nfor risk and suitability assessments and background clearances for contractors working in\ngovernment facilities; some included requirements for contractors to attend security awareness\ntraining and follow departmental and/or bureau information security procedures. However, only\n2 of the 24 contracts we reviewed contained comprehensive security provisions like those that\nwere being developed by the Department, which require contractors to adhere to specific IT\nsecurity policy and to be accountable for federal information and information systems.\n\nWhen the standard contract provisions for safeguarding unclassified systems and information\nbecame mandatory, OAM provided a list of current contract actions to heads of contracting\noffices (HCOs) and asked them to review the list, determine which actions might need the new\nclauses, modify them accordingly by March 1, 2004, and notify the Department\'s Procurement\nExecutive if the deadline could not be met. These are important steps. However, to ensure the\nDepartment\'s sensitive information and information systems are protected, OAM now needs to\ntake the additional step of periodic reviewing a sample of contracts in each operating unit to\nconfirm inclusion of the appropriate security provisions.\n\nContractors\'   Compliance     With Information   Security Provisions Needs Oversight\n\nWe found little evidence of appropriate review of contractor compliance with security\nrequirements. FISMA requires that controls be in place to protectthe government\'s information\nand information systems and that these controls be periodically tested and evaluated. OMB\'s\nreporting instructions to agencies and inspectors general ask whether appropriate methods have\nbeen used to ensure that contractor-provided services comply with security guidelines. The\nDepartment\'s information security policy requires that contractors adhere to the Department\'s\nestablished security policies when working with Commerce IT systems and data, and as\npreviously stated, that contracts contain provisions allowing access for the purpose of IT\ninspection, investigation, and audit.\n\nThe Department\'s fiscal year 2003 FISMA report indicated that appropriate methods were used\nto ensure that contractor-provided services comply with security guidelines, but cited only one\nspecific compliance mechanism-an automated notification system informing COTRs of\n\n\n\n                                                 6\n\n\x0cU.s. Department of Commerce                                         Final Inspection Report OSE-16513\nOffice Of Insvector General                                                            September 2004\n\ncontractors who fail to complete security awareness refresher training within the required time\nframe. Contracting staff we spoke with were not aware of any compliance inspections of\ncontractors\' facilities or operations, nor was there any evidence in the contract files to indicate\nsuch reviews had been performed. These inspections are not solely the responsibility of the\ncontracting office; there needs to be coordination among COTRs, departmental systems owners\n(or cognizant program officials), and security officials to determine and implement an\nappropriate review strategy.\n\nConclusion\n\nWith the contract clauses finalized and their use mandated, the Department has a solid\nfoundation for improving security in its IT service contracts. The clauses are comprehensive\nenough to ensure that contractors and their employees are aware of their duties and\nresponsibilities for adequately safeguarding sensitive data and systems. Contracting officers,\nCOTRs, systems owners, and IT security staff must work together to include any additional\nrequirements specific to the systems and data being accessed by contractor employees, and\ncontinue to monitor and identify any security issues throughout the life cycle of the contract.\nThe implementation of the IT security training for COs and COTRs will also foster awareness.\n\nContracting, technical, and program personnel, as well as IT security staff have a significant\nmanagement and oversight role in ensuring that adequate controls are in place and contractors\nare adhering to the appropriate information security policies. The Department needs to\nstrengthen communication among these personnel in ways that will foster consistent integration\nof adequate security in IT service contracts.\n\nMechanisms for strengthening this communication could include (1) requiring the IT security\nstaff to sign off on the procurement request; (2) having IT security staff and the COTR complete\nan information security checklist in the preaward phase for inclusion in the contract file so that\ninformation security is considered during requirements definition and solicitation; and (3)\nthroughout the contract\'s performance period, holding regularly scheduled information security\nstatus meetings among the contracting officer, COTR, system owner, and information security\nstaff to discuss contractor performance.\n\nMoreover, to ensure contractor compliance with security procedures and controls, the\nDepartment\'s Procurement Executive, with assistance from the CIO, needs to establish\nprocedures and assign accountability for conducting reviews of service contracts, in accordance\nwith FISMA, OMB policy, NIST guidance, and the Department\'s information security policy, to\nensure that contractors are complying with security procedures and controls. Criteria should be\nestablished, including the scope, nature and frequency of the reviews. These reviews should be\ncoordinated among the contracting officer the COTR, the system owner, and the information\nsecurity staff, with documentation of the review included in the contract file.\n\n\n\n\n                                                 7\n\n\x0c                                                                  Final Inspection Report OSE-I65I3\n RECOMMENDATIONS                                                                     SeDtemher 2004\n\n\n\n\n The CbiefFinancialOfficerand AssistantSecretaryforAdministrarionshouldtake the necessary\n stepsto ensurethattheDepartment\'s Procurement Executive, with the CIO\'s assistance, does the\nfOllowing:\n\n1.\t Reviews a sample of current contracts to determine whether appropriate security provisions\n    have been incorporated.\n\n2.\t Implements procedures to strengthen communication between the contracting officer,\n    COTRs, and information security staff.\n\n3.\t Establishes procedures and assigns accountability to the CO and COTR, as appropriate, to\n    conduct reviews of service contracts, in accordance with FISMA, OMB policy, NIST\n\n    guidance, and the Department\'s information security policy, that will ensure contractor\n\n    compliance with security procedures and controls.\n\n\n       a.\t Criteria should be established, including the scope, nature and frequency of the\n           reVIews.\n       b.\t These reviews should be coordinated among the contracting officer, the COTR, the\n           system owner, and the information security staff.\n       c.\t Documentation of the review should be included in the contract file.\n\n\n\nAttachment\n\n cc: Michael S. Sade, Director for Acquisition Management and Procurement Executive,\n        U.S. Department of Commerce\n     Karen Hogan, Deputy ChiefInformation Officer, U.S. Department of Commerce\n     William Lay, Director, IT Security, Infrastructure, and Technology, U.S. Department of\n        Commerce\n\n\n\n\n                                                   8\n\n\x0c                                                                         ATTACHMENT\n\n\'V\t\n                                                                        UNITED STATES DEPARTMENT OF COMMERCE\n                                                                        Chief Financial Officer\n                                        "    ~\n                                        \'-,).zv\n                                            .l\'7-4TES\n                                                             ,l:~\n                                                        r;tf ~\n                                                                        Assistant  Secretary for Administration\n                                                                        Washington.D.C.20230\n\n                                                                    \'JUl 1 2 2004\n\n\n\n      MEMORANDUM FOR:\t              Judith J. Gordon\n                                    Assistant Inspector Gc eI}I for Systems Evaluation\n                                      Office of Ins    or ~ nlm.l\n                                                                    .\n      FROM:\t                        Otto J. Wolff\n\n                                    ChiefFinanci I ffict\n\n                                      Assistant Secretary\n                                                                 D\n      SUBJECT:\t                    Information Security in Information Technology Service\n                                   Contracts is Improving, but Additional Efforts are Needed-\n                                   Draft Inspection Report No. OSE-l6513\n\n      This memorandum provides\t our response to the findings and recommendations in your\n      draft report, on information security in the Department of Commerce\'s infonnation\n      technology service contracts.\n\n      In general, we agree with the findings and conclusions found in the subject draft report.\n      We will continue to work on the specific details (milestones, implementation plans, etc.)\n      to address those concerns and specific recommendations set forth in the draft report, as\n      wen as the final report. Our comments address each of the three recommendations m~de\n      in the draft report.\n\n      Recommendation #1 - Review a sample of current contracts to determine whether,\n      appropriate security provisions have been incorporated.\n\n      We agree with the recommendation that the Department\'s Procurement Executive should\n      determine whether appropriate security provisions have been incorporated into current\n      contracts as required by Procurement Memoranduin 2003-09, Information Technology\n      Security Clauses, issued November 17, 2003. To accomplish this, the Department\'s\n      Procurement Executive staff will request the status of incorporation of the required\n      clauses in applicable contracts from each Department contracting office. In those\n      instances where the clauses have not been incorporated, the Procurement Executive will\n      require that the contracting office provide established milestones for incorporation.\n      Procurement Executive staff will monitor to ensure the established milestones for\n      incorporation are met. The request for status is anticipated to be completed by July 31,\n      2004.\n\x0cRecommendation #2 - Implement procedures to strengthen communication            between\nthe contracting officer, COTRs, and information security staff.\n\nWe agree that communication between the contracting officer, Contracting Officer\nTechnical Representatives (COTR), and infonnation security staff should continue to be\nstrengthened. The Procurement Executive strongly supports communication and\npartnership within the acquisition community (Contract Specialists, Contracting Officers\nand Contracting Officer Technical Representatives (COTR)/Contracting Officer\nRepresentatives (COR)), with stakeholders such as the Office ofChiefInfonnation\nOfficer (OCIO), Office of Inspector General (OIG), Office of General Counsel (OGC), as\nwell as with program officials. The recently issued Commerce Acquisition Manual\n(CAM) Chapter 1301.670, Contracting Officer Representative Certification Policy,\nemphasizes the importance of communication by stating that the purpose of the program\nis to ".. .create a results oriented acquisition workforce focused on partnering,\nperformance, quality, and accountability that ensures entrusted resources are used and\nmanaged wisely throughout all phases of the acquisition lifecyc1e." The COR Program\nincorporates the development of skill based competencies such as General Management\nKnowledge and Perfonnance, and Procurement Knowledge and Perfoirnance. The\ndevelopment ofthe competencies include the demonstration of skills such as the ability to\npartner, communicate and team, as well as an understanding and application ofthe\nCOTRICORs role in the procurement process, and how the CO and COTRICOR must\nwork together with their stakeholders throughout the acquisition life cycle to ensure\nsuccess. The Procurement Executive will continue to foster communication and\npartnering beginning at the highest levels within the Department and will continue to\ndevelop acquisition policies that incorporate the concepts ofteaming, partnership and\ncommunication.\n\nRecommendation #3 - Establish procedures and assign accountability to the CO\nand COTR, as appropriate, to conduct reviews of service contracts, in accordance\nwith FISMA, OMB policy, NIST guidance, and the Department\'s information\nsecurity policy, that will ensure contractor compliance with security procedures and\ncontrols.\n\nWe concur with the recommendation. The Department\'s Procurement Executive, in\ncoordination with the OCIO and program officials, will work to ensure that adequate\nreviews are performed at the appropriate levels in accordance with the Federal\nInformation Security Management Act (FISMA), Office of Management and Budget\n(OMB) policy, National Institute of Standards and Technology (NIST) guidance and the\nDepartment\'s infonnation security policy to ensure contractor compliance with security\nprocedures and controls. Procurement Executive staff will collaborate with the OCIO\nand OGC to ensure that adequate reviews are incorporated into the existing contract\nreview process and that the reviews are coordinated among the CO, COTRJCOR, the\nsystem owner and the information security staff. The Procurement Executive staffwill\nensure that guidance is issued to ensure proper documentation of such reviews is included\nin the contract file. The Procurement Executive will issue guidance that reinforces the\n\x0cexisting requirement of the CO andCOTR to monitor contract performance. The\nguidance will require that COs and COTRs ensure that contractor compliance with\nsecurity procedures and controls are incorporated into already existing performance\nmanagement processes. The Procurement Executive staffwill also collaborate with the\nOCIO to evaluate the possibility of integrating contract reviews into the information\nsecurity annual Compliance Review Program. The issuance of guidance by the\nProcurement Executive is anticipated to be completed by\nSeptember 30, 2004.\n\nWe appreciate the opportunity to comment on the draft report, and we look forward to\nreceiving a copy of the final report. If you have questions or would like to discuss the\nresponses in this memorandum, please contact Michael S. Sade at (202) 482-4248.\n\x0c                                         t,+~       01\' Co.\xc2\xad\n                                    l\'          ~              ~\n                                                                       UNITED STATES DEPARTMENT OF COMMERCE\n                                   f!I          ~              "b\n                                   *                               .\n                                                                 1ft\n                                                                       Chief Financial Officer and\n                                    \'i,\n                                    ?\'O\n                                            -                  ~\n                                                                H       Assistant  Secretary for Administration\n                                          -\'1-.4J\'Es di t#             Washington, D.C. 20230\n\n\n                                                                       SEP2 8 2004\n\n\nMEMORANDUM FOR:               Judith J. Gordon\n                              Assistant Inspector G\'neral for Systems Evaluation\n                                Office of Inspe~ &emera\n\nFROM:\t                        Otto J. Wolff\n                              Chief Financial\\OfJ\n                                Assistant Sec\n\nSUBJECT:\t                     Information Securif\\.inVnformation Technology Service\n                              Contracts is Improvin}:lbut Additional Efforts are Needed\n                              - Draft Inspection Report No. OSE-16513\n\nThis memorandum supplements our July 12, 2004 response to the findings and\nrecommendations in your draft report, on information security in the Department of\nCommerce\'s (DOC) information technology (IT) service contracts. Specifically this\nmemorandum provides additional infonnation to support our response to\nRecommendation No.2 - Implement procedures to strengthen communication between the\nContracting Officer (CO), Contracting Officer Technical Representative (COTR), and\nInformation Security staff.\n\nWe concur with the recommendation. The Department\'s Procurement Executive, in\ncoordination with the Office of the Chief Information Officer (OCIO) and program\nofficials, will work to ensure that communication is strengthened and that adequate\ncontrols are in place to ensure that IT Security is considered during the pre-solicitation,\naward and post award phases of the acquisition process. Procurement Executive staff\nwill collaborate with the OCIO and the Office of General Counsel (OGC) to ensure that\nIT Security contract requirements are adequately incorporated into existing contract\nreview processes, the IT Security Compliance Review Program, and existing contract\ncompliance and management processes. The Procurement Executive staff is currently\nworking with the OCIO to incorporate a review of service contracts in the FY 04 IT\nSecurity Compliance Review Program. A random sample of contracts will be reviewed\nto determine whether or not Contracting Offices have modified applicable contracts to\ninclude the mandatory IT Security contract clauses. The Procurement Executive and the\nOCIO will continue to work together to determine additional ways to partner to address\nthe IT Security recommendations of the Office of Inspector General.\n\nThe Procurement Executive staffwill issue guidance that outlines the IT Security contract\nrequirements throughout the various phases of the acquisition process and will ensure that\nsuch requirements are incorporated into the CO/COTR IT Security Training module that\n\x0c    is currently being developed. Substantial coordination with the OCIO, the OGe and the\n.   DOC AcquisitionOfficeswill be requiredto completeRecommendationNo.2. It is\n    anticipated that guidance will be issued by March 31, 2005.\n\n    We appreciate the opportunity to supplement our July 12, 2004 response to the draft\n    report, and we look forward to receiving a copy of the final report. If you have questions\n    or would like to discuss the responses in this memorandum, please contact\n    Michael S. Sade at (202) 482-4248.\n\x0c'